#!/bin/sh
DOMAIN=$1            # 域名
if [ ! $1 ]; then
  echo "请输入查询域名！正确打开方式：'sh get-ssl.sh demo.imx.xyz'"
  exit 0;
fi
CERT_FOLDER="/opt/cert"  # 证书存放的目录，结尾不能是"/"字符
export Ali_Key="Ali_key_value"           # 阿里云RAM用户账户API key
export Ali_Secret="Ali_secret_value"     # 阿里云RAM用户账户AccessKey
echo "################################################################################"
echo "正在创建证书安装所需要的目录,请稍等..."
# 创建证书安装所需要的目录

if [ ! -d ${CERT_FOLDER}  ];then
  mkdir ${CERT_FOLDER}
  echo "证书存放的目录:${CERT_FOLDER}"
else
  echo "证书存放的目录:${CERT_FOLDER}"
fi

if [ ! -d ${CERT_FOLDER}/${DOMAIN}  ];then
  mkdir ${CERT_FOLDER}/${DOMAIN}
  echo "证书存放的目录:${CERT_FOLDER}/${DOMAIN}"
else
  echo "证书存放的目录:${CERT_FOLDER}/${DOMAIN}"
fi

if [ ! -d ${CERT_FOLDER}/${DOMAIN}_ecc  ];then
  mkdir ${CERT_FOLDER}/${DOMAIN}_ecc
  echo "证书存放的目录:${CERT_FOLDER}/${DOMAIN}_ecc"
else
  echo "证书存放的目录:${CERT_FOLDER}/${DOMAIN}_ecc"
fi
echo "################################################################################"

if [ ! -d ~/.acme.sh  ];then
  echo "正在安装acme.sh,请稍等..."
  #apt install socat # 仅stand alone模式需要
  curl https://get.acme.sh | sh
  #alias acme.sh='/root/.acme.sh/acme.sh'
  alias acme.sh='~/.acme.sh/acme.sh'

  echo "开启acme.sh自动更新"
  acme.sh  --upgrade  --auto-upgrade                 # 更新acme.sh
else
  echo "acme.sh 脚本已正常安装,正在跳过安装"
  alias acme.sh='~/.acme.sh/acme.sh'
fi
echo "################################################################################"



echo "################################################################################"
echo "正在申请ECC RSA双证书,请稍等..."
##
# 申请RSA证书
acme.sh --issue -d ${DOMAIN} --dns dns_ali   \
        --dnssleep 30 --ocsp --days 30 --keylength 4096

# 申请ECC证书
acme.sh --issue -d ${DOMAIN} --dns dns_ali   \
        --dnssleep 30 --ocsp --days 30 --keylength ec-384

# 安装ECC证书
acme.sh --install-cert -d ${DOMAIN} --ecc                               \
        --key-file        ${CERT_FOLDER}/${DOMAIN}_ecc/privkey.pem      \
        --fullchain-file  ${CERT_FOLDER}/${DOMAIN}_ecc/fullchain.pem    \
        --cert-file       ${CERT_FOLDER}/${DOMAIN}_ecc/cert.pem         \
        --ca-file        ${CERT_FOLDER}/${DOMAIN}_ecc/chain.pem         \
        --reloadcmd       "systemctl force-reload nginx.service"

# 安装RSA证书
acme.sh --install-cert -d ${DOMAIN}                                     \
        --key-file        ${CERT_FOLDER}/${DOMAIN}/privkey.pem          \
        --fullchain-file  ${CERT_FOLDER}/${DOMAIN}/fullchain.pem        \
        --cert-file       ${CERT_FOLDER}/${DOMAIN}/cert.pem             \
        --ca-file        ${CERT_FOLDER}/${DOMAIN}/chain.pem             \
        --reloadcmd       "systemctl force-reload nginx.service"
echo "################################################################################"
echo  
#echo "#创建定时任务合并证书链"
#if ! grep "cat ${CERT_FOLDER}/${DOMAIN}_ecc/chain.pem ${CERT_FOLDER}/${DOMAIN}/chain.pem > ${CERT_FOLDER}/${DOMAIN}_ecc/chain.crt && systemctl force-reload nginx.service > /dev/null" /var/spool/cron/root  >/dev/null;then
#   echo "正在添加定时任务用于自动合并证书，请使用 crontab -l 查询"
#   echo "$[$RANDOM%59+1] $[$RANDOM%3+0] * * * cat ${CERT_FOLDER}/${DOMAIN}_ecc/chain.pem ${CERT_FOLDER}/${DOMAIN}/chain.pem > ${CERT_FOLDER}/${DOMAIN}_ecc/chain.crt && systemctl force-reload nginx.service > /dev/null" >>/var/spool/cron/root
#   cat ${CERT_FOLDER}/${DOMAIN}_ecc/chain.pem ${CERT_FOLDER}/${DOMAIN}/chain.pem > ${CERT_FOLDER}/${DOMAIN}_ecc/chain.crt && systemctl force-reload nginx.service > /dev/null
#else
#   echo "定时自动合并证书认为已存在，使用 crontab -l 查询"
#   cat ${CERT_FOLDER}/${DOMAIN}_ecc/chain.pem ${CERT_FOLDER}/${DOMAIN}/chain.pem > ${CERT_FOLDER}/${DOMAIN}_ecc/chain.crt && systemctl force-reload nginx.service > /dev/null
#fi
echo  
echo "################################################################################"
echo  
echo "手动更新证书请使用:"
echo  "   acme.sh --renew -d ${DOMAIN} --force"
echo  "   acme.sh --renew -d ${DOMAIN} --force --ecc"
echo  
echo "################################################################################"
echo  
echo "吊销证书请使用:"
echo  "   acme.sh --revoke -d ${DOMAIN}"
echo  "   acme.sh --revoke -d ${DOMAIN} --ecc"
echo  
echo "################################################################################"
echo  "请手动修改Nginx证书配置为："
echo
echo  "    # ECC Cert"
echo  "    ssl_certificate                      ${CERT_FOLDER}/${DOMAIN}_ecc/fullchain.pem;"
echo  "    ssl_certificate_key                  ${CERT_FOLDER}/${DOMAIN}_ecc/privkey.pem;"
echo
echo  "    # RSA Cert"
echo  "    ssl_certificate                      ${CERT_FOLDER}/${DOMAIN}/fullchain.pem;"
echo  "    ssl_certificate_key                  ${CERT_FOLDER}/${DOMAIN}/privkey.pem;"
echo
echo  "    # verify chain of trust of OCSP response using Root CA and Intermediate certs"
echo  "    ssl_trusted_certificate              ${CERT_FOLDER}/${DOMAIN}_ecc/chain.pem;"
echo  
echo "################################################################################"